When the signature is calculated using
signing algorithm it is added to the url as
hmac query parameter. For example if the signature for a HTTPGET
request to http://example.net/abc?x=2 is fakesignature then following
are valid signed URLs:

http://example.net/abc?x=2&hmac=fakesignature

http://example.net/abc?hmac=fakesignature&x=2

LaterPay provides a /validatesignature endpoint
where merchants can test if their URL signing process and their credentials are
correct.

LaterPay APIs use following algorithm to calculate the signature for incoming
requests:

Obtain the following:

secret

secret string used to sign the request. Example "fakesecret".

base_url

HTTP url consisting of scheme, host, path and without query and
fragment parts. For example if a request went to
http://example.net/p/ath?f=v#frag the base_url would be
"http://example.net/p/ath"

http_method

HTTP method used in the request. Examples: "GET", "POST",
"PUT", "DELETE". Must be uppercase.

params

a list of key value pairs constructed from URL’s query string. There
can be multiple pairs with the same key. Example
(("k2","v1"),("k1","v2"),("k1","v1")) from
http://example.net/p/ath?k2=v1&k1=v2&k1=v1

Make sure http_method, base_url and all params (both keys and
values) are UTF-8 encoded and percent encode them. For example:

Create the message for signing by joining http_method, base_url
and params strings with "&". For example a message for a "GET"
request to http://example.net/test?kæy=vąl&safe?=1+2=3&k1=v2&k1=v1
would be